Anthem Data Breach Case Moves Toward Trial
SAN JOSE (CN) - A giant data breach case against Anthem and Blue Cross appears headed for trial after a federal judge told attorneys at a case management conference to move on to discovery.
"I am likely to deny the defense's motion, so please move forward with discovery," U.S. District Judge Lucy Koh said Thursday.
Koh indicated that six of the seven claims are likely to survive the motion to dismiss phase, and asked attorneys for both sides to consider reducing the claims to four.
She said narrowing the case is important, as its complexity, involving contract breaches in several states as well as federal claims and the enormous number of contracts the court will be forced to consider could make prompt adjudication impossible.
"I don't want to prejudice either side, but I want you to make this humanly feasible," Koh said.
Anthem attorney Craig Hoover said he was reluctant to agree to anything until the ruling is issued, and until the July 11 deadline for adding plaintiffs had passed.
"We don't want to submit identical papers just to force you to read them, but we also don't want you looking at a tiny slice of the pie," Hoover said.
Koh said the complexity and lack of precedents in data breach class actions made it a difficult case. "We are going to have to address a lot of novel issues," she said.
The Anthem data breach, which the company disclosed in February 2015, involved more than 37 million records from the company's computer system, affecting an estimated 80 million people.
The cyberattack is believed to have been carried out by China, though the country denies it.
Consumers nationwide filed multiple lawsuits against Anthem, 28 Anthem affiliates, Blue Cross Blue Shield Association, and 17 non-Anthem Blue Cross Blue Shield companies.
Anthem, the nation's second-largest health insurer, serves members through various Blue Cross Blue Shield licensee affiliates and other non-Blue Cross Blue Shield affiliates. It also works with the Blue Cross Blue Shield Association and several independent Blue Cross Blue Shield licensees via the BlueCard program.
Anthem's computer database has personal and health information on about 80 million current and former clients, Koh said.
It was not the first such attack on Anthem. In 2009, about 600,000 customers of Wellpoint, Anthem's former trade name, "had their personal information and protected healthcare information compromised due to a data breach," Koh said.
The Department of Health and Human Services fined Anthem $1.7 million in 2013 for violations of data security.
In 2014, the federal government warned Anthem and other health care-companies of the possibility of more cyberattacks and advised them to take appropriate measures, including data encryption and enhanced password protection.
Consumers claim Anthem and its affiliates did not heed the warnings, and allowed hackers to extract massive amounts of data from its database from December 2014 to January 2015.
Anthem said it stopped the cyberattacks by Jan. 31, 2015.
Cybersecurity company Mandiant, which Anthem hired to assist its response to the data breach, released a report in July 2015 that said "Anthem and [its] affiliates [had] failed to take reasonable measures to secure the [personal and health information] in their possession."
Though Anthem publicly disclosed the data breach in February 2015, many customers said that were not personally informed until March 2015, if at all. They also said Anthem failed to disclose whether it has made any changes to its security practices to prevent another cyberattack.
Multiple lawsuits were transferred and consolidated in spring 2015. In June 2015, a multidistrict litigation judicial panel issued a transfer order and selected Koh.
On Feb. 14, she removed three Anthem entities and partially removed seven more, with leave to amend. Blue Cross and Blue Shield of Arizona, BlueCross BlueShield of Tennessee and Highmark West Virginia were dismissed.
Plaintiffs' attorney Eve Cervantez declined to comment after the hearing, as did Hoover.
Editor's Note: U.S. District Judge Lucy Koh formalized her findings from the hearing Friday in a 90-page opinion.